How to make the Windows firewall play nice with tracert?
September 14, 2005 9:12 AM   Subscribe

WinXP question: tracert only works when the Windows firewall is turned off. I've added \windows\system32\tracert.exe to the approved programs list, but no luck. Any ideas?
posted by stopgap to Computers & Internet (9 answers total)
 
Best answer: Are you letting ICMP packets through? I believe that's what is used by WinXP's trace route program.
posted by bachelor#3 at 9:16 AM on September 14, 2005


the traceroute program on unix (as on windows) relies on two protocols; ICMP and UDP. make sure that you're allowing packets for both protocols.
posted by moz at 9:19 AM on September 14, 2005


The blocking of ICMP packets is one of the things most "Personal Firewalls" get wrong. They sell the concept of "security through obscurity" - if you can't see the machine, you can't try and hack it. But blocking ICMP breaks PING and (as you've discovered) traceroute, amongst other things, and there are other, non-ICMP-based scans that a hacker can use to see you machine, so it's pointless anyhow... Let ICMP in and out of your firewall.
posted by benzo8 at 9:19 AM on September 14, 2005


Weird. tracert has always worked for me with the stock XP firewall turned on.
posted by zsazsa at 9:26 AM on September 14, 2005


moz, I think Windows XP uses ICMP packets exclusively for tracert. Most other trace route programs send out UDP packets.
posted by bachelor#3 at 9:27 AM on September 14, 2005


the traceroute program on unix (as on windows) relies on two protocols; ICMP and UDP.

Correct for Unix; not so for Windows, which uses only ICMP.

But blocking ICMP breaks PING and (as you've discovered) traceroute, amongst other things

Remember that traceroute is looking for ICMP ttl-expired (which are critical to being able to use the network without your sent packets quietly disappearing) and not ICMP echo-reply (which is only useful for ping itself).

That said, include me in the "it works for me" department. Crank up your XP firewall logging to log dropped packets and see exactly what it's blocking, for a start.
posted by mendel at 9:38 AM on September 14, 2005


Response by poster: ICMP packets were turned off. I allowed them and now everything works as expected. Thanks AskMe!
posted by stopgap at 10:13 AM on September 14, 2005


There is good reason to block ICMP packets, and it's not security-through-obscurity. They are (were?) a populare method of denial-of-service attacks. The attacker would flood you with pings and this would increase network latency and bandwidth to near unusability. Happened to me several times until I disabled ICMP.

Also, if I'm not mistaken, in the earlier days of routers, ICMP could be used to configure routers to a certain extent. You could basically send a command to a router that the next hop for this address should be X.X.X.X instead of Y.Y.Y.Y. This would allow an attacker to route his targets traffic through a machine he controlled, with no one the wiser. From there he could sniff away at it. This is sort of urban-legendish, I've never seen credible accounts of it being done and I suspect not too many routers ever had such features enabled.

That said, let ICMP through. If you get DOSed, turn it off.
posted by RustyBrooks at 10:20 AM on September 14, 2005


Here's an example of my second point
posted by RustyBrooks at 10:21 AM on September 14, 2005


« Older Mysterious Spyware Infection   |   Too Many Notes Newer »
This thread is closed to new comments.


Tags

Share